If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

ARP Flood?

I've just been reading up on the ARP protocol and from what I understand, the source and destination IP's are never verified in any manner. Consider a scenario like this:

1. I write a program that sends spoofed ARP packets to the universal broadcast address (255.255.255.255) or perhaps even a particular range such as 124.255.255.255 .

2. The program sends packets that say, "Who has &lt;some IP&gt;? Tell &lt;target IP&gt;" to a whole IP range (like a whole country or something).

3. Those computers that the packets reach, reply in good faith to &lt;target ip&gt;, thus tying up all it's bandwidth and DoSsing it.

4. The best part of an attack like this is that it'd be close to impossible to trace the origins, because the real source ip is not part of the packet. A clever hacker could even change the MAC address in the packet, thus making it even more difficult to trace him.

Has this been done before or am I missing something? Is it even possible to do something like this?

As far as I know its not possible on the internet as the target MAC address changes at each hop. The MAC address is used once the packet hits the final LAN in order to find the target machine. So if you are at point A and want to use the MAC address of router C the router you hit first won`t know what that MAC is so how would you route to it?

RFC 1433 specified that routers will not forward ARP requests that are not directed at themselves (section 3.3) so your router isn`t going to allow you to send the request and will instead send it back to the ARP Helper address in the routing table. So unless you have routers that allow ARP forwarding it isn`t going to work.

Originally posted here by R0n1n RFC 1433 specified that routers will not forward ARP requests that are not directed at themselves (section 3.3) so your router isn`t going to allow you to send the request and will instead send it back to the ARP Helper address in the routing table. So unless you have routers that allow ARP forwarding it isn`t going to work.

Ok. so that begs the odvoius question (pardon my spelling)...Can you program a CISCO router to foward ARP requests, thus bypassing the Standard?

Most new routers are now using BGP instead of ARP, partly for this very reason.

Windows 9x:n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.

Tempest: Yes, there's a command that forwards broadcast messages in Cisco routers but I don't recall it off the top of my head since I don't use it. There's a command that forwards DHCP requests across WAN links too for anyone interested:

ip helper-address xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address of the remote DHCP server.

That having been said if you try forwarding ARP requests from your border router you are only going to get the packets as far as the first router you don't control.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.